libxml2: Fix CVE-2017-5969
Fix NULL pointer deref in xmlDumpElementContent Can only be triggered in recovery mode. Fixes bug 758422 CVE: CVE-2017-5969 (From OE-Core rev: 0cae039cbe513b7998e067f4f3958af2ec65ed1a) (From OE-Core rev: f0017a7b8b3fc4407e6596156b57aa1183937382) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
93b0d29184
commit
9d59e7d739
|
@ -0,0 +1,62 @@
|
|||
libxml2-2.9.4: Fix CVE-2017-5969
|
||||
|
||||
[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=758422
|
||||
|
||||
valid: Fix NULL pointer deref in xmlDumpElementContent
|
||||
|
||||
Can only be triggered in recovery mode.
|
||||
|
||||
Fixes bug 758422
|
||||
|
||||
Upstream-Status: Backport - [https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882]
|
||||
CVE: CVE-2017-5969
|
||||
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
|
||||
|
||||
diff --git a/valid.c b/valid.c
|
||||
index 19f84b8..0a8e58a 100644
|
||||
--- a/valid.c
|
||||
+++ b/valid.c
|
||||
@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
|
||||
xmlBufferWriteCHAR(buf, content->name);
|
||||
break;
|
||||
case XML_ELEMENT_CONTENT_SEQ:
|
||||
- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
|
||||
- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
|
||||
+ if ((content->c1 != NULL) &&
|
||||
+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
|
||||
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
|
||||
xmlDumpElementContent(buf, content->c1, 1);
|
||||
else
|
||||
xmlDumpElementContent(buf, content->c1, 0);
|
||||
xmlBufferWriteChar(buf, " , ");
|
||||
- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
|
||||
- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
|
||||
- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
|
||||
+ if ((content->c2 != NULL) &&
|
||||
+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
|
||||
+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
|
||||
+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
|
||||
xmlDumpElementContent(buf, content->c2, 1);
|
||||
else
|
||||
xmlDumpElementContent(buf, content->c2, 0);
|
||||
break;
|
||||
case XML_ELEMENT_CONTENT_OR:
|
||||
- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
|
||||
- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
|
||||
+ if ((content->c1 != NULL) &&
|
||||
+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
|
||||
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
|
||||
xmlDumpElementContent(buf, content->c1, 1);
|
||||
else
|
||||
xmlDumpElementContent(buf, content->c1, 0);
|
||||
xmlBufferWriteChar(buf, " | ");
|
||||
- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
|
||||
- ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
|
||||
- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
|
||||
+ if ((content->c2 != NULL) &&
|
||||
+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
|
||||
+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
|
||||
+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
|
||||
xmlDumpElementContent(buf, content->c2, 1);
|
||||
else
|
||||
xmlDumpElementContent(buf, content->c2, 0);
|
|
@ -26,6 +26,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
|
|||
file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \
|
||||
file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \
|
||||
file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
|
||||
file://libxml2-CVE-2017-5969.patch \
|
||||
file://CVE-2016-9318.patch \
|
||||
"
|
||||
|
||||
|
|
Loading…
Reference in New Issue